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Abstract 

We  give  a  new  denotational  semantics  for  a  shared  variable  parallel  programming  language  and 
prove  full  abstraction:  the  semantics  gives  identical  meanings  to  commands  if  and  only  if  they 
induce  the  same  partial  correctness  behavior  in  all  program  contexts.  The  meaning  of  a  command 
is  a  set  of  “transition  traces”,  which  record  the  ways  in  which  a  command  may  interact  with 
and  be  affected  by  its  environment.  We  show  how  to  modify  the  semantics  to  incorporate  new 
program  constructs,  to  allow  for  different  levels  of  granularity  or  atomicity,  and  to  model  fair 
infinite  computation,  in  each  case  achieving  full  abstraction  with  respect  to  an  appropriate  notion 
of  program  behavior. 
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CARNEGIE  MELLON 


1  Introduction 


One  of  the  fundamental  purposes  of  semantics  is  to  provide  rigorous  means  of  proving  the  correct¬ 
ness  of  programs  with  respect  to  behavioral  specifications.  For  any  particular  language  different 
semantic  models  may  be  suitable  for  reasoning  about  different  behavioral  notions,  such  as  partial 
correctness,  total  correctness,  and  deadlock-freedom.  Ideally  one  would  like  a  semantics  in  which 
the  meaning  of  one  term  coincides  with  the  meaning  of  another  term  if  and  only  if  the  terms  induce 
the  same  behavior  in  each  program  context;  this  guarantees  that  one  term  may  be  replaced  by 
the  other  in  any  context  without  affecting  the  behavior  of  the  overall  program,  thus  supporting 
compositional  or  modular  reasoning  about  program  behavior.  Such  a  semantics  is  equationally 
fully  abstract  with  respect  to  the  given  notion  of  behavior  [10,  13,  15].  When  the  set  of  program 
behaviors  is  equipped  with  an  approximation  ordering  and  the  semantic  model  has  a  partial  order 
such  that  the  meaning  of  one  term  is  less  than  the  meaning  of  another  if  and  only  if  the  behavior  of 
the  first  term  in  each  program  context  approximates  the  behavior  of  the  second  term  in  the  same 
context,  the  semantics  is  inequationally  fully  abstract  with  respect  to  the  given  notion  of  program 
behavior  and  approximation.  An  inequationally  fully  abstract  semantics  is  also  equationally  fully 
abstract. 

The  difficulty  of  finding  fully  abstract  semantics  is  well  known  [2,  10,  13,  15].  Many  standard 
semantic  models  are  correct,  in  that  whenever  two  terms  induce  different  behavior  in  some  context 
they  denote  different  meanings,  but  too  concrete  since  the  converse  may  fail.  Sometimes  one  can 
show  that  by  adding  extra  syntactic  constructs  to  the  programming  language  the  model  becomes 
fully  abstract.  However,  unless  the  extra  constructs  are  computationally  natural  and  the  original 
language  was  clearly  deficient  because  of  their  omission,  the  full  abstraction  problem  for  the  original 
language  is  still  important. 

The  standard  state-transformation  semantics  for  sequential  while-programs  is  fully  abstract 
with  respect  to  partial  correctness  behavior.  However,  for  a  parallel  version  of  this  language  [5, 
11],  in  which  parallel  commands  can  interact  by  updating  and  reading  shared  variables,  the  full 
abstraction  problem  is  more  difficult.  Parallel  programs  may  exhibit  non-deterministic  behavior, 
depending  on  the  scheduling  of  atomic  actions,  so  the  partial  correctness  behavior  of  a  parallel 
command  is  naturally  modelled  as  a  non-deterministic  state  transformation,  usually  represented  as 
a  function  from  states  to  sets  of  states.  However,  the  state  transformation  denoted  by  a  parallel 
combination  of  commands  cannot  be  determined  solely  from  the  state  transformations  denoted  by 
the  component  commands;  thus  the  state-transformation  semantics  for  a  parallel  language  is  not 
even  compositional,  and  is  certainly  not  fully  abstract.  One  needs  a  semantic  model  with  more 
detailed  structure,  so  that  the  possible  interactions  between  commands  executing  in  parallel  may 
be  modelled  appropriately. 

Hennessy  and  Plotkin  [5]  described  a  denotational  semantics  for  this  language,  based  on  a 
recursively  defined  domain  of  resumptions,  built  with  a  powerdomain  operator.  However,  the 
resumptions  semantics  is  too  concrete:  skip  and  skip;  skip  denote  different  resumptions  even 
though  they  induce  the  same  partial  correctness  behavior  in  all  contexts.  They  showed  that  with 
the  addition  of  extra  features  to  the  programming  language,  the  resumptions  model  becomes  fully 
abstract.  However,  one  of  the  extra  constructs  is  a  rather  peculiar  form  of  coroutine  execution 
which  allows  counting  of  the  number  of  atomic  steps  taken  by  a  command  executing  in  parallel. 
The  problem  remained  of  finding  a  fully  abstract  model  for  the  original  parallel  language. 

In  this  paper  we  solve  this  problem:  we  describe  a  new  denotational  semantics  for  this  language, 
and  we  show  that  it  is  fully  abstract  with  respect  to  partial  correctness  behavior.  We  model  the 
meaning  of  a  command  as  a  set  of  transition  traces.  A  transition  trace  is  a  finite  sequence  of  pairs 
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of  states  recording  a  possible  interaction  sequence  of  the  command  with  its  environment;  each  pair 
of  states  represents  the  effect  of  a  finite,  possibly  empty,  sequence  of  atomic  actions.  The  set  of 
traces  of  a  command  is  closed  under  two  natural  operations:  “stuttering”  (c/.  Lamport  [9])  and 
“mumbling”.  This  model  is  conceptually  simpler  than  the  resumptions  model,  since  it  does  not 
require  the  use  of  powerdomains  or  recursively  defined  domains.  The  model  also  validates  a  number 
of  intuitively  natural  equations  and  inequations  between  programs  which  fail  in  the  resumptions 
model. 

We  show  that  our  semantic  model  is  adaptable  to  a  variety  of  settings:  one  may  easily  accom¬ 
modate  the  addition  of  certain  extra  features  to  the  programming  language,  and  the  results  do  not 
depend  crucially  on  assumptions  about  the  level  of  atomicity  or  granularity  of  execution.  We  show 
that  the  semantic  model  can  be  extended  to  model  fair  infinite  computations,  producing  a  fully 
abstract  semantics  with  respect  to  the  appropriate  notion  of  behavior,  ir.  which  both  termination 
and  non-termination  are  regarded  as  observable.  This  semantics  may  be  used  to  reason  about  total 
correctness,  and  about  safety  and  liveness  properties,  of  parallel  programs  executing  fairly. 

Previous  Work 

We  have  already  mentioned  the  relationship  between  our  semantics  and  the  resumptions  model  of 
Hennessy  and  Plotkin  [5]. 

The  idea  of  using  sequences  or  traces  of  some  kind  to  model  the  behavior  of  concurrent  programs 
is  widespread.  For  instance,  several  authors  have  used  traces  to  build  models  of  determinate  or 
indeterminate  dataflow  networks,  notably  [7,  8,  14].  Indeed,  others  have  also  used  sequences  of 
pairs  of  states  [3,  6,  12]  in  imperative  settings.  However,  in  these  papers  a  pair  of  states  represents 
a  single  atomic  action  while  in  our  model  it  represents  a  finite  sequence  of  atomic  actions.  The 
semantics  presented  in  [3,  6]  are  for  different  languages  and  different  notions  of  program  behavior. 
Park’s  semantics  [12]  for  the  same  language  that  we  discuss  is  too  concrete,  distinguishing  between 
skip  and  skip;  skip  again,  because  his  traces  record  step-by-step  behavior  exactly.  Our  work  shows 
how  to  adapt  his  semantics  to  obtain  full  abstraction.  Abadi  and  Plotkin  [1]  use  a  trace  model 
(prefix-closed  sets  of  finite  sequences  of  pairs  of  states,  also  closed  under  stuttering  and  mumbling) 
for  reasoning  about  safety  properties  of  reactive  systems  and  the  study  of  composition  rules. 

2  Syntax 

We  discuss  a  standard  shared  variable  parallel  language,  as  in  [5,  11].  There  are  four  syntactic  sets: 
Ide,  the  set  of  identifiers,  ranged  over  by  l\  Exp,  the  set  of  expressions,  ranged  over  by  E\  BExp, 
the  set  of  boolean  expressions,  ranged  over  by  B\  and  Com,  the  set  of  commands,  ranged  over  by 
C .  Identifiers  and  expressions  denote  integer  values,  boolean  expressions  denote  truth  values,  and 
the  language  contains  the  usual  arithmetic  and  boolean  operators  and  constants.  For  commands 
we  specify  the  following  grammar: 

C  ::=  skip  j  /:=£  |  C\\C%  |  C,||C2  | 

if  B  then  C\  else  Ci  |  while  B  do  C  | 

await  B  then  C 

A  command  of  the  form  await  B  then  C  is  a  conditional  critical  region ,  converting  C  into  an 
atomic  action  that  is  enabled  only  in  states  satisfying  B\  we  impose  the  (reasonable)  syntactic 
restriction  that  C  must  be  a  finite  sequence  of  assignments  (or  skip). 
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3  An  operational  semantics 

We  present  a  structural  operational  semantics  similar  to  the  semantics  given  in  [5]. 

We  use  N  for  the  set  of  integers,  ranged  over  by  n;  and  V  =  for  the  set  of  truth 

values,  ranged  over  by  v.  A  state  is  a  finite  partial  function  from  identifiers  to  integer  values.  Let 
S  =  [Ide  —*p  IV]  denote  the  set  of  states,  ranged  over  by  a.  We  write  dom(s)  for  the  domain  of  s, 
and  [s  |  /  =  n]  for  the  state  which  agrees  with  a  except  that  it  gives  identifier  I  the  value  n.  We 
use  notation  like  [ii  =  »i, ...,/*  =  n*]  for  states. 

When  a  is  a  state  defined  on  (at  least)  the  free  identifiers  of  E,  we  write  ( E,s )  -**  n  to  indicate 
that  E  evaluates  to  n  in  state  a.  Similarly  for  boolean  expressions.  We  assume  that  the  semantics 
of  expressions  and  boolean  expressions  are  given  by  semantic  functions  £  and  B ,  characterized 
operationally  by: 

£{£l  =  {(s,n)|<£,s)  n} 

B^B)  =  {(s,u)  |  (B,s)  «}. 

For  command  execution  we  specify  a  set  of  configurations 

Conf  =  {( C,a )  e  Com  X  S  |  freefC]  C  dom(s)}, 

a  subset  of  successfully  terminated  configurations,  and  a  transition  relation  — ♦  C  Conf  x  Conf.  The 
successfully  terminated  configurations  are  those  for  which  ( C,s)term  is  provable.  A  configuration 
that  is  not  successfully  terminated  but  has  no  enabled  transition  is  deadlocked.  The  transition 
rules,  given  in  Figure  1,  specify  that  boolean  expression  evaluations,  assignments,  and  conditional 
critical  regions  are  atomic  actions.  Later  we  will  show  how  to  adapt  our  semantics  to  model  finer 
levels  of  atomicity  or  granularity  of  execution. 

DiiC  J-  ix.  1  S 

4  Partial  correctness  behavior 

We  define  the  partial  correctness  behavior  function  M  :  Com  -*  V{S  x  S)  by: 

M[C]  =  {(s,s')  |  (C,a)  (C, s') term}, 

and  we  put  M\C\a  =  {s'  |  {a, a')  e  M[C\). 

This  induces  a  preorder  Cm  and  an  equivalence  relation  =m  on  commands: 

C  Cm  C'  <=>  V3.(free[CJ  U  free{C'J  C  dom(s)  =>  Ad[CJs  C  yMlC'Js 
C  =m  C'  <=>  C  CM  C'  k  C'  CM  C. 

Partial  correctness  equivalence  is  not  a  substitutive  relation,  since  we  have: 

x:-=l;x:—x  +  1  =M  x:=2 
(x:=l;i:=x  +  l)||i:=2  x:=2||x:=2. 

We  therefore  define  the  substitutive  preorder  <m  and  substitutive  equivalence  relation 

c  <M  c  <=*  VP[.].(F[C]  P[C')) 

C  =M  C'  <=>  C  <MC'  &  C'  <M  c , 

where  P[-]  ranges  over  program  contexts,  that  is,  programs  with  a  hole  (denoted  [■])  into  which  a 
command  may  be  substituted;  and  P[C]  denotes  the  program  obtained  by  substituting  C  into  the 
hole.  Thus  C  =x  C'  if  and  only  if  C  and  C'  are  interchangeable  in  all  program  contexts  without 
affecting  partial  correctness. 
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(skip,  s)term 
(E,s)  -+•!» 

(I:=E,s)  (3kip.[s  |  /  =  n]) 


<Cx,s)- 

(C[,s') 

(Ci\C2,s)  — *■ 

(C[;C2,s') 

(Ci,s)term 

(Cf,C2,s) 

-(C2,s) 

(Cus)^ 

(O') 

(Ci\\C2,s)  - 

(C[\\C2,s’) 

(C2,s)  - 

(O') 

<Ci||C-2,s)  -> 

(Cl  licks') 

( Ci,s)term 

( C2,s)ierm 

(Cx\\C2, 

s)term 

(B,s)  — >*  tt 

(if  B  then  C\  else  C2,.s)  -*  (C\,s) 

_ (B,s)  if _ 

(if  B  then  C\  else  C2,s)  — ►  (C2,s) 

(while  B  do  C,$)  — * 

(if  B  then  C;  while  B  do  C  else  skip,s) 

( B,s )  -+*  tt  (C,s)  — **  (C1,  s') term 
(await  B  then  C,s)  -*  (skip,  s') 

Figure  1:  Operational  semantics  for  commands 
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5  Denotational  semantics 

Resumptions 

Hennessy  and  Plotkin  [5]  gave  a  denotational  semantics  based  on  a  domain  R  of  “resumptions", 
defined  recursively  by  the  domain  equation 

R  =  S  -  V(S  +  (R  x  S)), 

where  V  is  a  suitable  powerdomain  constructor,  +  denotes  the  separated  sum  and  x  denotes 
the  cartesian  product  of  domains.  However,  the  resumptions  semantics  makes  many  unnecessary 
distinctions  between  programs:  for  instance  skip  and  skip;  skip  denote  different  resumptions  even 
though  they  induce  the  same  partial  correctness  properties  in  all  contexts. 

Hennessy  and  Plotkin  added  a  form  of  “coroutine”  composition  C\  co  Ci  to  the  syntax  of 
the  programming  language,  together  with  a  non-deterministic  choice  operation  C\  or  Ci .  The 
operational  behavior  of  C\  co  Ci  is  to  perform  single  atomic  steps  alternately  from  C\  and  Ci 
until  one  of  them  terminates,  and  C\  or  Ci  can  behave  either  like  C\  or  like  Ci.  These  two  extra 
constructs  permit  program  contexts  to  be  built  which  can  count  the  number  of  atomic  actions 
taken  by  a  command,  thus  distinguishing  between  skip  and  skip;  skip.  The  resumptions  model 
then  becomes  fully  abstract  for  this  extended  language.  Nevertheless,  this  coroutine  construct 
seems  rather  ad  hoc  and  the  full  abstraction  problem  for  the  original  language  remained  open. 

Transition  traces 

The  main  problem  with  the  resumptions  model  is  that  it  represents  explicitly  the  one-step  transition 
relation  — ♦  and  is  therefore  forced  to  distinguish  between  too  many  commands.  Instead  we  design 
a  semantic  model  based  on  the  reflexive,  transitive  closure  of  the  transition  relation  (denoted  — “ ). 

Informally,  a  transition  trace  of  a  command  C  is  defined  to  be  a  finite  sequence  of  pairs  of  states 
(so,Sq)(3i, Sj) . . . {skis'k)  such  that  it  is  possible  for  C  to  perform  a  computation  from  s0  to  s'fc  if 
execution  is  interrupted  k  times,  the  iih  interruption  changing  the  state  from  s'  to  st+i  (0  <  i  <  Ic). 
A  transition  trace  of  this  form  is  interference-free  iff  s'  =  s,+i  for  each  i.  The  degenerate  case 
( k  =  0)  yields  simply  a  pair  (s,s')  such  that  C  has  a  computation  from  s  terminating  in  s'. 
Formally,  we  write  T[C\  for  the  set  of  transition  traces  of  C,  characterized  operationally  by: 


TJCJ  =  {(so,s^)(si,s')...(si,s't)  ) 

{C, s0)  -*  (Ci,Sq)  & 

(Cusi)  (Ci,s\)  & 

.  & 

(Ck,Sk)  -**  ( C'.s'k)term }. 

Proposition  5.1  For  all  commands  C,  M[C\  —  {(s,s')  ( (s,s')  e  T[C]}. 

This  operational  characterization  of  T  has  some  obvious  but  important  consequences  following 
from  the  fact  that  — **  is  reflexive  and  transitive: 

Proposition  5.2  The  set  of  transition  traces  of  a  command  C  is  closed  under  " stuttering "  and 
“mumbling”:  for  all  a,  0  e  (5  x  S)“  and  all  s,  s',  s"  e  S. 

apeTlC]  =>  a(s,s)/3  €  T[C] 
a(s,s')(s',s")/3  e  T[C\  =>  o(s,s")/3  e  T[C]. 
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Given  a  set  T  of  transition  traces,  we  let  ,  the  closure  of  T,  be  the  smallest  set  containing  T  and 
closed  under  stuttering  and  mumbling.  We  say  that  T  is  closed  if  T  =  .  By  the  above  result, 

T[C]  is  closed. 

Let  E  =  5x5,  ana  let  ^(E*)  denote  the  set  of  closed  sets  of  (non-empty)  traces,  ordered  bv 
inclusion.  It  is  easy  to  see  that  this  forms  a  complete  lattice,  with  least  element  the  empty  set  and 
with  least  upper  bounds  given  by  unions. 

The  standard  notion  of  concatenation  for  finite  sequences  can  be  adapted  easily  to  this  setting. 
When  T\  and  T2  are  closed  sets  of  traces  we  define 

Tr;T2  =  {a/3  |  a  e  Tx  &  /3eT2}t. 

We  also  extend  the  Kleene-star  operation  to  closed  sets  of  traces  in  the  obvious  way:  T*  denotes 
the  smallest  set  containing  T  and  the  empty  trace,  closed  under  stuttering,  mumbling  and  concate¬ 
nation. 

Similarly,  the  standard  notion  of  interleaving  on  finite  traces  is  given  inductively  by: 

a||e  =  c||a  =  {a} 

oa\\p(J  =  {07  |  7  e  a\\pl3}  U  {p7'  |  7'  €  <ra||/3}, 

where  0  and  p  range  over  E,  a  and  /3  range  over  E*,  and  e  is  the  empty  trace1.  When  Tx  and  T2 
are  closed  sets  of  traces  we  define 

Til|r2  =  UWI/9  t  aeTx&0eT2}l 

We  can  now  give  a  denotationai  characterization  for  T.  To  simplify  the  presentation,  and  to 
facilitate  comparison  with  later  developments,  it  is  convenient  to  define  T\B\  =  {(s,s)  |  (s,tt)  e 

Proposition  5.3  The  (finite)  transition  traces  semantic  function  T  :  Com  — ■  7T(S+)  is  charac¬ 
terized  uniquely  by  the  following  clauses: 

T[skip|  =  {(s,s) !  s  €  S}^ 

T[I:=E ]  =  {(s,[s  |  /  =  nj)  |  (s,n)  €  5[£J}t 
T[Ci;C2J  =  T[Cx];T[C2j 
nClWCi]  =  TICMIITIC,! 

rjif  B  then  Cx  else  C2]  =  T\B\,7[CX)  U  T[-flJ;T|[C2J 
7[while  B  do  C]  =  (TlB];T[C])‘;Tl^B] 

Tlawait  B  then  C\  =  {{s,s')  e  T[CJ  |  (s,s)  €  T{B\}^ . 

Note  that  all  operations  on  closed  sets  of  traces  used  in  this  semantic  definition  are  monotone  (even 
continuous)  with  respect  to  set  inclusion.  An  alternative  (and  equivalent)  definition  of  the  trace 
semantics  of  loops  can  be  given  using  least  fixed  points: 

T[while  5  do  Cl  =  p,T.(T[B\\T[C\,T  U  T[^B\). 


’Although  transition  traces  are  always  non-empty,  some  of  our  definitions  are  simpler  if  we  include  the  empty 

trace. 
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6  Full  abstraction 


Given  the  assumption  that  expression  evaluation  is  atomic,  the  only  important  aspect  of  an  expres¬ 
sion’s  operational  behavior  in  the  "  'ansition  rules  for  commands  is  its  final  value.  It  follows  trivially 
that  two  expressions  induce  the  same  partial  correctness  behavior  in  ail  program  contexts  if  and 
only  if  they  evaluate  to  the  same  results  in  all  states.  Thus,  t  is  fully  abstract  for  the  expression 
sub-language,  and  B  is  fully  abstract  for  the  boolean  expression  sub-language. 

We  now  show  that  the  transition  traces  semantics  for  commands  is  (inequationally)  fully  ab¬ 
stract  with  respect  to  partial  correctness  behavior. 

We  define  T\C\s  =  {s' a  |  (s,s>  e  T[C]}  and: 

C  CT  C'  <=*  Vs.(free(C]  U  free[C'l  C  dom(s)  =►  T[C]s  C  T[C'Js) 

C=TC'  <*=>  CCTC'fc  C'  CT  C. 

Proposition  6.1  The  transition  traces  semantics  T  is  inequationally  fully  abstract:  for  all  com¬ 
mands  C  and  C' ,  C  Qr  C'  <=>  C  <m  C' . 

Proof:  Suppose  C  C-r  C'.  Since  T  is  a  denotational  semantics,  for  each  program  context  JD[  ]  the 
only  relevant  aspect  of  C  in  determining  T\P[C\\  is  T[C\.  Moreover,  all  operations  used  in  the 
semantic  definitions  are  monotone  with  respect  to  set  inclusion.  Thus  we  get  T|[P[C]J  C  T[P[C']J. 
But  then  for  all  relevant  states  a, 

M[P[C}\s  =  {s'\{s,s')<-T[P[C)]} 

C  {s'  |  (a, s')  6  T[P[C'] ]} 

=  M[P[C']Js. 

This  shows  that  C  C7-  C'  =>  C  <m  C'. 

Since  states  are  finite,  for  each  state  a  there  is  a  boolean  expression  IS,  that  evaluates  to  tt 
from  s'  if  s'  agrees  with  a  on  dom(a),  and  evaluates  to  f  f  otherwise.  Similarly  there  is  a  command 
MAKE,  such  that 

(MAKE,,/)  (skip, a) 

for  all  states  such  that  dom(a')  =  dom(a).  Such  a  command  can  easily  be  defined  as  a  finite 
sequence  of  assignments  to  the  identifiers  in  dom(a). 

Now  suppose  C  C',  so  that  there  is  some  transition  trace  a  =  (s0,s'0)(si,s\) . .  .{sk,s'h) 
belonging  to  T[G'J  and  not  T\C'\.  Let  D0o  be  the  command 

await  IS,'  then  MAKE,,; 
await  IS,<  then  MAKE,,; 

await  IS,^  i  then  MAKE,t. 

Let  Pa[-]  be  the  program  context  [-]||DOa.  By  assumption  that  a  e  TJC]  -  TfC'J  it  follows  that 

{sQ,s'k)zM[Pa[C]\-M[Pa[C'\\, 

so  C  C' •  Thus,  C  C'  implies  C  C' ■  That  completes  the  proof.  ■ 

For  example,  consider  the  commands  C  =  x:=l;x:=x  -f  1  and  C  =  i:=1;j::=2.  They  have  the 
same  partial  correctness  semantics  but  different  transition  traces:  clearly 

«  =  ([*  =  0],  [x  =  l)){[z  =  0],[x  =  1)) 
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skip;  C  =  C  s  C;  skip 
(Ci;C2);C3  =  C,;(C2;C3) 

(7||skip  =  C 
Ci||C2  =  C2||C, 

(CallCjJHCaH^IK^IICa) 

CniCtWQQiC^CJWC 

(if  B  then  Ci  else  C2)\C  =  if  B  then  C\\C  else  C2;C 

if  (Bi&B2)  then  C\  else  C2  C  if  Bi  then  (if  B2  then  Ci  else  C2)  else  C2 

while  B  do  C  =  if  B  then  C\  while  B  do  C  else  skip 

await  (Bj&B2)  then  C  =  await  B\  then  (await  B2  then  C) 

await  false  then  C  C  C' 

Figure  2:  Some  laws  of  parallel  programming 

is  a  transition  trace  of  C  but  not  of  C' .  The  context  Pa[-\  built  in  the  proof  above  is 

[•]  ||  await  x  =  1  then  x:=0 

and  it  is  clear  that  Pa[C ]  may  terminate  with  x  =  l  but  that  PQ[C'\  cannot. 

Similarly,  consider  the  commands  x:=0  and  x:=0;x:=0.  It  is  easy  to  see  that  T(x:=0j  C 
T[x:=0;x:=0l,  and  this  inclusion  is  proper.  The  transition  trace  (|x  =  l],(x  =  0])([x  =  l],[x  =  0)) 
is  possible  for  x:=0;x:=0  but  not  for  x:=0.  These  two  commands  can  be  distinguished  by  running 
them  in  parallel  with  the  command  await  x  =  0  then  x:=l. 

7  Laws  of  parallel  programming 

We  can  use  this  semantics  to  prove  equations  and  inequations  between  programs,  with  the  guarantee 
that  these  laws  may  be  safely  used  for  reasoning  about  partial  correctness,  in  any  program  context. 
Some  examples  are  given  in  Figure  2,  in  which  =  stands  for  =r  and  C  stands  for  Cr-  The  majority 
of  these  laws  fail  in  the  resumptions  model  and  in  Park’s  model.  The  laws  may  be  easily  validated 
in  our  semantics,  taking  advantage  of  natural  algebraic  identities  involving  T\\T2.  Ti||T2.  and  T*. 

A  consequence  of  these  laws  is  the  inequality  Ci;C2  C  Ci||C2.  If  the  expression  language  is 
deterministic,  so  that  for  all  E  and  s  the  set  contains  at  most  one  value,  we  also  obtain  the 

inequation: 

I:=[El/I]E2Cl:=ElJ-.  =  E2, 

where  [E\II\E2  denotes  the  expression  obtained  by  substituting  E\  for  each  free  occurrence  of  I 
in  B2,  with  appropriate  changes  of  bound  variable  to  avoid  capturing  any  free  identifiers  of  E\ . 

This  semantics  identifies  deadlock  (e.g.  await  false  then  C)  with  divergence  (e.g.  while  true 
do  skip).  This  is  reasonable,  since  a  deadlocked  program  and  a  diverging  program  vacuously  satisfy 
the  same  partial  correctness  properties  in  every  program  context.  In  addition,  since  assignment  is 
atomic,  this  semantics  satisfies  the  law  /:=/  =  skip. 

8  Finer  granularity 

Our  semantics  can  be  adapted  to  deal  with  finer  levels  of  granularity.  For  instance,  we  might  allow 
interruption  of  an  assignment  I:=E  during  the  evaluation  of  E,  and  interruption  of  a  conditional 
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during  the  evaluation  of  its  test.  To  make  the  discussion  precise,  suppose  that  we  have  the  following 
abstract  syntax  for  boolean  expres  s  >ns  .id  integer  expressions: 

B  ::=  true  false  |  -‘B  |  B\&B?  |  E\  <  E2 

E  ::=  0  |  1  |  /  |  Ei  +  E2  |  if  B  then  E\  else  E2 

To  adapt  the  operational  semantics  we  introduce  the  set  BExp'  of  extended  boolean  expressions, 
defined  by  adding  .lie  clauses  B::=v  ( v  €  V)  to  the  grammar  for  BExp,  and  the  set  Exp'  of 
extended  integer  expressions,  defined  by  adding  E::—n  (n  e  N)  to  the  grammar  for  Exp.  We  use 
configurations  of  form  (£,  s)  and  (B,s),  where  E  and  B  are  extended  expressions.  A  configuration 
of  form  {n  +  E2,s)  (with  n  £  N)  represents  a  stage  in  evaluation  of  a  sum  expression  where  the 
left-hand  expression  has  been  evaluated  to  the  integer  n  and  the  right-hand  expression  remaining 
to  be  computed  is  E2;  a  configuration  of  form  n  e  N  represents  the  final  result  of  evaluation. 

A  fine-grained  operational  semantics  for  expressions  is  described  in  Figures  3  and  -1.  Note  that 
the  transition  rules  specify  that  a  conjunction  B\k.B2  is  evaluated  from  left-to-right  with  a  short- 
circuit  strategy,  avoiding  evaluation  of  B2  if  B\  evaluates  to  ff .  On  the  other  hand  we  specify 
that  in  a  sum  expression  E\  +  E2  the  two  sub-expressions  are  evaluated  in  parallel.  These  choices 
were  made  solely  for  illustration,  and  the  transition  rules  may  easily  be  modified  to  model  different 
evaluation  strategies  without  affecting  the  general  properties  of  our  semantics. 

Now  that  expression  evaluation  is  no  longer  atomic,  the  semantic  functions  £  and  B  are  not 
fully  abstract.  Instead  we  need  to  extend  the  transition  traces  semantics  to  cover  expressions, 
to  allow  for  the  possibility  that  the  state  may  change  during  evaluation.  Since  we  assume  that 
expression  evaluation  never  causes  any  side-effects,  we  can  use  a  slightly  simpler  trace  structure 
than  for  commands2: 

T[B]  =  {((so^oK^i.s, )...(sfe,sfc),v)  | 

( B,Sq )  — **  (Bi,Sq)  & 

— » ’  {B2,S\)  & 

. & 

{Bk,sk)  — ‘  v} 


T[E\  =  {((•so,5o)('Si,5i). .  .(sk,»ic),  n)  | 

(E,sq)  — *  (Ei, so)  & 

{E\,s\)  — * ’  {£2, ^i)  & 

. .  & 

(Ek,sk)  — *  n}. 

Thus  a  trace  ((<So»So)($i>3i)  ■  •  ■{skySk),v)  e  T\B\  means  that  there  is  an  evaluation  of  l)  from 
initial  state  So  resulting  in  value  v,  during  which  the  environment  makes  k  interruptions,  the  iM 
interruption  changing  the  state  to  s,.  In  particular  allowing  no  interruptions  corresponds  to  the 
definition  of  B,  and  B[B]  =  {(s,n)  |  ((s,s),n)  €  T[B\).  Note  that  the  traces  of  an  expression  are 
again  closed  under  (the  obvious  analogues  of)  stuttering  and  mumbling.  For  boolean  expressions 
this  amounts  to  the  following: 

Proposition  8.1  For  all  boolean  expressions  B,  all  stales  s .  all  o.  J  e  D*.  and  all  I  ruth  values  r. 

(a0,v)£T[Bj  =>  (a(s,s)i3,v)  €  T[B\ 

(a(3,s)(s,s)/?,t/)  €  T[B\  =>  (ofs,  s)3,  v)  e  nm 


1  Actually,  we  could  have  used  traces  of  form  (jo»i  with  minor  modifications  in  wfiai  follows  Our 

notation  is  deliberately  chosen  so  as  to  simplify  some  of  the  details  that  follow. 
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(true,  s)  —  tt 

(false,  s)  —  ff 

(B,s)->{B',s) 

— ►  (~'B',s) 

( B,s )  — ►  tt 
(-5,s)  ff 

(fl.a)  -  ft 

(-if?,  s)  — >  tt 

(£!,*)->  (flj.s) 

(fli&fl2,s)  -  (B[kB2,s') 

{ B\,s )  -►  tt 
(5j&£2,s)  —  (-B2,s) 

(g1,s)-ff 
(B\kB2,s)  -*  ff 

(£lt3)^(g;,s) 

(£l  <  ^2,-s)  —  (£'l  <  £2,5) 

(£2,s)  -»  (£%.*) 

(£1  <  E2,s)  —  (£,  <  £2,.s) 

(m  <  n,s)  — *  tt  if  m  <  n 

(m  <  n,s)  — • ■  ff  if  m  >  rc 

Figure  3:  A  fine-grained  operational  semantics  for  boolean  expressions 


10 


_ {B,s)  —  {B\s) _ 

{if  B  then  Ei  else  E2,s)  -*  (if  B'  then  Ei  else  Ei,s) 

{ B,s )  -» tt 

{if  B  then  E\  else  E2, s)  — ►  ( Ei,s ) 

_ (£,*)-« _ 

{if  B  then  Ei  else  E?,s}  -*  (Ez,s) 

(E^s) -+ (E[,s) 

{Ei  +  £2,3)  — *  (E[  +  E2,s) 

(E7,s)  (E'2,s) 


(skip,  a)  term 

(E,s)^(E',s) 

(I:—E,s)  — *■  (I:=E',s) 

( I:=n,a )  -*  (skip,  [s  1 1  =  n]) 

(Clts) -+ (C[,s') 

(Cv,Ct,a)  -  {C\-,C2,s') 

(Ci,s)term 
(C\\C2,s)  -*•  (C2,s) 

(Cu»)  -  (Cj,*') 

<Ci\\ C2,*)  -  (C[\\C2,s') 

(C2,s)  -*  (C^y) 
(C1||C2,s>-(Cl||C;,s') 

(Ci,  a)  term  (C2,s)term 
(C\\\C2,s)term 

_ (B,s)-.(B',a) _ 

(if  B  then  C\  else  C2,s)  — »  (if  B'  then  C\  else  C2,.s } 

(B,s)  —  tt 

(if  B  then  Ct  else  C2,<s)  -*  ( Ci,s ) 

_ (B,s)  -  ff _ 

(if  B  then  Cj  else  C2,s)  — <  (C2,s) 

(while  B  do  C,s)  -* 

(if  5  then  C;  while  B  do  C  else  skip,  5) 

(fl,s)-*  tt  (C,s)-*s' 

(await  B  then  C,a)  —>  s' 

Figure  5:  A  fine-grained  operational  semantics  for  commands 


12 


We  write  pt(£+  x  V)  for  the  set  of  closed  sets,  ordered  again  by  inclusion.  Similar  properties  hold 
for  integer  expressions,  so  that  T\E J  is  a  closed  subset  of  £+  x  N. 

So  far  we  have  characterized  T\B\  and  T[E\  operationally.  As  with  commands,  we  can  also 
give  denotational  definitions.  We  give  the  details  only  for  boolean  expressions. 

Proposition  8.2  The  fine-grained  trace  semantics  T  :  BExp  — ►  pt( £+  x  V)  is  uniquely  charac¬ 
terized  by  the  following  clauses: 

T[trueJ  =  {((s,s),tt)  |  s  €  S}t 
T[false]  =  {((s,s),ff)  |  s  €  5}t 

=  {(a,  ->v)  j  (a,v)  e  where  -itt  =  =  tt 

T[BikB2 J  =  {(a,ff)  |  (a, ft)  e  T[Bi]}  U  {(afi,v)  j  (a,tt)  e  T[BX )  k  (/?,»)  e  T[B2]} t 
T[Ei  <  E2\  =  {(7 ,m  <  n)  |  (a,m)  6  T[EX J  &(/?,»)€  T[E2\  k  7  €  a||/?}t. 

An  operational  characterization  of  the  fine-grained  trace  semantics  of  commands  is  given  exactly 
as  before,  but  using  the  fine-grained  transition  relation  — »  from  Figure  5: 

T[C\  =  {(«o»*o)(si>ai) •••(«*, 4)  I 
{C,s0)  ->*  {Ci,Sq)  & 

(Cl,*)-*  (C2,3i>& 

.  & 

{ Ck,Sk )  -*■*  (C', s'k) term}. 

In  the  following  denotational  definition  for  T[CJ  we  identify  T[B\  with  the  set  {a  |  (cv,  tt)  e  T\B\). 

Proposition  8.3  The  fine-grained  trace  semantics  of  commands  is  uniquely  characterized  by  the 
following  clauses: 

T[skipJ  =  {(3,s)  |  s  e  S}t 

T[I:=E]  =  {0(3,  [s  |  /  =  n|)  |  (a,n)  e  T{E]}1 

T[Cx-,C2\  =  T[CxYT[C2\ 

nci\\c2]  =  ncx]\\nc2j 

T[it  B  then  Cx  else  C2]  =  7[flJ;  T[C,]  U  T[-B];TIC2J 
T[while  B  do  Cl  =  {T\B\\T[C\)':Tl^B} 

T[await  B  then  C]  =  {(3, s')  e  TfCJ  j  (s,s)  e  T|fl]}t. 

Again  all  operations  on  trace  sets  used  in  this  semantics  are  monotone  (even  continuous)  with 
respect  to  set  inclusion. 

Of  course,  since  the  operational  semantics  of  commands  is  now  fine-grained,  we  are  now  inter¬ 
ested  in  a  fine-grained  version  of  partial  correctness  behavior,  which  we  still  call  M.  defined  as 
before  but  using  the  fine-grained  transition  relation  of  Figure  5. 

Proposition  8.4  The  fine-grained  semantics  is  fully  abstract  with  respect  to  fine-grained  partial 
correctness:  for  all  terms  t  and  t '  of  the  same  syntactic  type,  t  C  j  t'  <=>  t  <»  t' . 

Proof:  For  commands  the  proof  is  similar  to  the  proof  of  Proposition  6.1. 

For  boolean  expressions  t  and  t'  with  different  transition  traces  it  is  easy  to  construct  a  context 
of  form  C||if  [•]  then  z:=0  else  z:=l  (for  a  suitably  chosen  C)  that  distinguishes  between  them. 
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For  integer  expressions  with  different  transition  traces  we  can  find  a  discriminating  context  of 
form  C\\z’.=[-\.  a 

For  example,  the  boolean  expressions  x  <  x  and  true  are  not  semantically  equivalent,  and  they 
may  induce  different  behavior  in  contexts  such  as 

x.*=l;  (x:=0||if  [■]  then  y:=l  else  y:= 2). 

The  relationships  given  in  Figure  2  continue  to  hold  for  the  fine-grained  semantics.  However,  the 
identity  /:=/  =  skip  fails  because  assignment  is  not  atomic.  For  example, 

x:=0;[x:=x||x:=l]  x:=0;[skip||x:=l]. 

This  is  because  ([x  =  0],[x  =  0])([x  =  1],[®  =  0])  is  a  transition  trace  of  x:=x  but  not  of  skip. 
Instead  we  get  the  inequality  skip  C  /:=/. 

9  Fairness  and  strong  correctness 

So  far  we  have  ignored  the  possibility  of  infinite  computation  and  non-termination.  This  was 
appropriate  for  reasoning  about  partial  correctness.  However,  many  parallel  programs  are  designed 
specifically  not  to  terminate,  and  we  would  like  a  semantics  suitable  for  reasoning  about  total 
correctness,  and  about  safety  and  liveness  properties,  in  addition  to  partial  correctness.  Moreover, 
when  reasoning  about  parallel  programs  it  is  often  natural  to  make  a  fairness  assumption  [12]:  when 
running  commands  in  parallel,  no  individual  command  is  forever  denied  its  turn  for  execution.  It 
is  well  known  that  the  assumption  of  fairness  implies  unbounded  nondeterminism,  and  that  in 
many  models  (typically  using  powerdomains)  this  causes  lack  of  continuity  of  various  semantic 
functions  [2,  12]. 

Despite  this,  we  can  model  fair  infinite  execution  of  parallel  programs  simply  by  extending  our 
transition  trace  model  to  include  fair  infinite  traces.  A  (fair)  infinite  trace  of  a  command  C  is  a 
sequence 

(so,So)(sl5Sl)  •  •  •  (sm  5n)(sn+l  ’  sn+l  )  •  •  • 

describing  a  (fair)  infinite  computation  of  C  from  initial  state  so  during  which  execution  is  inter¬ 
rupted  infinitely  often,  the  ith  interruption  changing  the  state  from  s[  to  s,+1  (for  each  i  >  0).  Each 
(j,-, sj)  represents  a  finite  (possibly  empty)  sequence  of  atomic  actions  performed  by  the  command, 
and  infinitely  many  of  these  action  sequences  must  be  non-empty3. 

Every  finite  transition  trace  of  C  is  fair.  In  order  to  characterize  the  fair  infinite  computations 
of  a  command  operationally,  the  fairness  condition  must  be  applied  to  each  parallel  sub-command 
of  C :  care  must  be  taken  to  keep  track  of  which  syntactic  component  of  C  performs  each  atomic 
action  in  a  computation.  See  for  example  [4]. 

Let  T[C\  now  denote  the  set  of  fair  transition  traces  of  C.  For  obvious  reasons  only  finitely 
many  interruptions  can  occur  between  successive  atomic  actions  by  C\  consequently.  T\C J  is  again 
closed  under  stuttering  and  mumbling,  where  we  allow  finitely  many  stutters  or  mumbles  between 
successive  stages  in  a  trace.  We  continue  to  use  the  notation  for  the  closure  of  T.  where  T  now 
ranges  over  E°°  =  U  Ew,  the  set  of  finite  or  infinite  transition  traces.  Let  T,^(E0°)  denote  the 
set  of  closed  sets  of  finite  or  infinite  traces.  This  again  forms  a  complete  lattice  under  set  inclusion. 

3 For  example,  this  requirement  guarantees  that  C  has  an  infinite  interference-free  trace  beginning  in  state  .«  iff 
(C,  *)  ha*  a  fair  infinite  computation. 
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We  extend  concatenation  to  fair  traces  in  the  obvious  way:  a/3  is  defined  to  be  a  if  a  is  an 
infinite  sequence.  Then  we  define  T\\T2  and  T*  on  closed  sets  of  finite  or  infinite  traces  as  before. 
We  also  define4 

T"  =  {aoai. |  Vn  >  0.an  eT}t. 

For  a  and  /3  in  E°°  let  a||/3  be  the  set  of  all  traces  built  by  fairly  interleaving  a  with  0.  Perhaps 
the  simplest  way  to  define  a||/3  formally,  following  Park  [12],  is: 

<*!l 0  =  {7  I  («,/3,7)  6  fairmerge} 
fairmerge  =  (L* RR* L)u  U  (L  U  R)*A 
L  -  {(<r,c,cr)  |  a€  E} 

R  =  {(e,ff,o)  |  a  €  E} 

A  =  {(a,c,a)  |  a  e  E°°}  U  {((,0,0)  |  /3  e  E°°}, 

where  we  extend  concatenation  to  work  on  sets  and  on  triples  of  traces  in  the  obvious  way:  AJ9  = 
{a/3  |  a  e  A,0  e  B}  and  (a i,a2,a3)(/3i,/32/33)  =  (ai/3i,a2/32,a3/33).  When  a  and  0  are  finite 
this  definition  of  a\\0  coincides  with  the  inductive  definition  given  earlier.  Then  we  define  a  fair 
interleaving  operator  on  closed  sets  of  traces  by: 

2i[|r2  =  ^J{ai||a2  |  aj  e  T\  &  a2  e  T2}^. 

With  these  definitions  in  hand,  we  can  define  T  denotationally.  Apart  from  the  above  modifications 
to  T\\T%  (and  therefore  also  T")  and  7t)|T2,  the  only  change  in  the  semantic  clauses  concerns  the 
meaning  of  a  loop.  We  give  details  only  for  the  coarse-grained  case;  the  corresponding  fine-grained 
version  is  obtainable  similarly. 

Definition  9.1  The  fair  transition  traces  semantic  function  T  :  Com  —  ^(E00)  is  defined  by 
the  following  clauses: 

T[8kip]  =  {(s,s)  j  s  €  S}t 

T[/:=£] |  =  {(s,[s  |  /  =  »])  |  (s,n)  e  £[E]}1 

r[Ci;C2}  =  T[C,l;T[C2l 
r[cx\\c2\  =  ncx\\\nc*\ 

T[if  B  then  Cx  else  C2J  =  T[B\- T[CX]  U  T[^B]-,  T[C2 J 
Tjwhile  B  do  C]  =  (T[B\,T\C\y-,T\^B]  u  (T[B);T[C]r 
Tjawait  B  then  CJ  =  {(s,s#)  e  T[C\  |  (s,s)  €  TfSJ}* 


Yet  again  all  operations  on  trace  sets  used  in  this  semantics  are  monotone  (even  continuous)  with 
respect  to  set  inclusion.  However,  the  least  fixed  point  characterization  for  loop  semantics  no 
longer  applies.  Instead,  the  loop  semantics  corresponds  to  what  might  be  called  an  “operational 
fixed  point"  of  the  function  XT.(T[B];T[C];T  U  T|-iZ?J). 

We  now  need  a  notion  of  behavior  that  takes  into  account  the  possibility  of  non-termination. 
We  therefore  introduce  a  pseudo-state  X  to  represent  non-termination,  and  let  S±  =  S  U  {!}. 


4 Note  that  since  t  is  not  a  member  of  T  there  is  no  need  to  define  what  r"  means. 
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Definition  9.2  The  strong  correctness  behavior  function  M  :  Com  —*  P(S  y.  S\)  is  given  by: 


M[C\  =  {(a,  s')  j  ( C,s )  -*•*  (C',s')term}  U 

{(*,  j.)  1  <e,«) 

where  (C,  s)  — *•"  means  that  there  is  an  infinite  fair  computation  of  C  starting  from  s.  • 

This  behavior  function  can  also  be  obtained  from  the  trace  semantics,  since  ( C,s }  — holds  if  and 
only  if  C  has  an  infinite  interference-free  trace  starting  from  s. 

Proposition  9.3  For  all  commands  C, 

M[C\  =  {(s,s0I0>,s')€T[<?1}U 
{(s,±)  I  (a,si)(si,s2)...(sn,sn+i)...  e  T[C\). 

Proposition  9.4  The  fair  trace  semantics  is  fully  abstract  with  respect  to  strong  correctness:  for 
all  commands  C  and  C’ ,  C  Cr  C'  <=>  C  <m  C'  • 

Proof:  Similar  to  that  of  Proposition  6.1,  extended  to  deal  with  infinite  traces.  The  most  difficult 
part  is  to  show  that  when  a  is  an  infinite  trace  of  C  that  is  not  also  a  trace  of  C\  there  is  some 
finite  prefix  (3  of  a  such  that  the  behavior  of  C  “after  /?”  is  distinguishable  from  the  behavior  of 
C1  “after  /3”.  The  proof  of  this  finite  distinguishability  property  uses  Konig’s  Lemma  and  the  fact 
that  for  any  command  C  and  any  pair  of  states  s  and  s'  the  set  of  C"  such  (C,  s)  — (C",  s')  is 
finite.  ■ 

The  laws  given  in  Figure  2  continue  to  hold  for  the  fair  trace  semantics,  except  that  the  inequa¬ 
tion 

C1;(C2||C)C(Cl;C2)||C 

may  fail  if  C\  has  infinite  traces.  Nevertheless,  the  inequation  still  holds  if  C\  is  loop-free.  Note 
that  the  fair  trace  semantics  no  longer  identifies  await  false  then  skip  with  while  true  do  skip, 
since  the  former  denotes  the  empty  set  and  the  latter  denotes  the  set  of  all  infinite  stuttering 
sequences. 

10  Total  correctness 

We  remarked  earlier  that  the  finite  trace  semantics  for  a  loop  while  B  do  C  has  an  equivalent 
formulation  as  the  least  fixed  point  of  the  function 

\T.{T{BX,TIC\,T  U  T[-£l). 

In  the  fair  trace  semantics,  the  loop’s  meaning  is  still  a  fixed  point  of  this  functional,  but  not 
the  least.  For  instance,  the  loop  while  true  do  skip  has  for  its  fair  traces  all  infinite  stuttering 
sequences,  whereas  in  the  least  fixed  point  semantics  this  loop  denotes  the  empty  set.  This  example 
also  shows  that  the  fair  trace  semantics  does  not  correspond  to  the  use  of  the  greatest  fixed  point 
either.  There  is,  therefore,  a  third  form  of  semantics,  obtained  by  using  greatest  fixed  points  in  the 
semantic  clause  for  loops.  Under  this  semantics  the  above  loop  has  all  possible  traces. 

The  trace  sets  constructed  in  this  semantics  enjoy  a  further  closure  property  in  addition  to 
stuttering  and  mumbling: 

•  if  a/3  €  T{C]  and  /3  e  £w  is  interference-free,  then  for  all  7  e  £°°  we  also  have  07  e  T\C\. 
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We  call  this  “closure  under  chattering”.  This  closure  property  has  the  effect  of  identifying  all 
commands  that  may  fail  to  terminate.  This  form  of  trace  semantics  is  fully  abstract  with  respect 
to  total  correctness  behavior,  defined  by 

M\C\  =  {(a, a')  |  (C, a)  -•  (< C',s')term }  U 
{(s,s')\(C,s)-+“  ks'eSx}. 


11  Robustness 

The  full  abstraction  results  given  above  relied  only  on  certain  general  properties:  monotonicity  of 
the  semantic  definitions,  compositionality,  finite  distinguishability,  and  the  fact  that  the  behavior 
of  a  program  is  embedded  in  its  trace  set.  We  can  therefore  extend  these  results  to  deal  with  any 
additional  program  constructs  that  do  not  violate  these  properties5.  For  instance,  we  may  add  a 
non-deterministic  choice  construct  C\  or  C2,  with  operational  semantics  given  by: 

(Ci  or  C2,s)  —  (Ci,  s) 

(Ci  or  C2,s)  —  (C2,s). 

Then  T[Ci  or  C2\  =  T\C\\  U  T[C2],  and  all  of  the  previous  development  goes  through  with 
minor  modifications.  The  semantics  is  still  fully  abstract,  and  the  laws  of  programming  given 
earlier  continue  to  hold.  In  addition,  C  C  C'  if  and  only  if  (C  or  C')  =  C',  or  is  idempotent, 
commutative  and  associative,  and  or  distributes  through  sequential  and  parallel  composition. 

The  coarse-grained  semantics  satisfies  the  law 

I\‘—E\^I2:=E2  =  (h:=Ex ;/2:=£2)  or  (/2:=£2;  Ji:=£i), 

but  this  fails  in  the  fine-grained  case:  for  example,  when  assignment  is  not  atomic  the  parallel 
command  x:=x  -f  l||x:=x  -f  1  has  the  trace  ([x  =  0],[x  =  1]),  and  this  is  not  a  trace  of  x\=x  4- 
l;x:=x  +  1. 

12  Summary  and  Conclusions 

We  have  introduced  transition  traces  and  used  them  as  the  basis  for  a  variety  of  fully  abstract 
semantics  for  a  shared  variable  parallel  programming  language.  Our  results  apply  in  coarse-  and 
fine-grained  versions  to  yield  full  abstraction  with  respect  to  three  forms  of  program  behavior: 
partial,  strong,  and  total  correctness.  In  each  case,  extra  language  features  may  be  added  without 
invalidating  full  abstraction,  provided  certain  general  semantic  properties  are  preserved:  in  partic¬ 
ular,  the  trace  semantics  of  the  new  features  must  be  definable  com  positionally  and  monotonically. 
This  shows  the  flexibility  and  generality  of  our  ideas  and  results. 

Program  constructs  or  operational  assumptions  (such  as  fairness)  that  give  rise  to  unbounded 
nondeterminism  do  not  appear  to  cause  severe  semantic  problems  in  this  framework.  For  instance, 
it  is  almost  trivial  to  add  a  random  assignment  command  /:=?  to  the  syntax,  with  the  following 
semantics: 

T{/:=? S  =  {(s,[s  (  /  =  nj)  |  s  e  5  &  n  €  iV}*. 

This  would  not  affect  the  validity  of  any  of  our  results. 


s Of  course,  the  coroutine  construct  C\  co  Cj  from  Hennessy-Plotkin  cannot  be  handled  by  our  semantics,  since 
7[Ci  co  CjJ  cannot  be  determined  from  T[Ci  ]  and  T[Cj ]. 
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It  is  interesting  to  compare  our  results  with  the  work  of  Apt  and  Plotkin  [2],  who  proved  that  for 
a  sequential  while-loop  language  with  random  assignment  there  is  no  denotational  continuous  least 
fixed  point  semantics  that  is  fully  abstract  with  respect  to  strong  correctness.  Our  fair  trace  model 
provides  a  denotational  continuous  semantics  for  a  parallel  version  of  this  language,  and  is  fully 
abstract  for  strong  correctness;  but  this  is  not  a  least  fixed  point  semantics.  The  corresponding  least 
fixed  point  semantics  is  fully  abstract  for  partial  correctness,  and  the  corresponding  greatest  fixed 
point  semantics  is  fully  abstract  for  total  correctness.  For  the  sequential  language  there  is  no  need 
to  use  traces  to  achieve  full  abstraction,  as  the  behavior  functions  can  be  defined  compositionally. 
When  our  definitions  are  adapted  to  the  sequential  setting  they  yield  three  fully  abstract  semantics 
for  the  Apt-Plotkin  language,  with  respect  to  partial,  strong,  and  total  correctness  respectively, 
again  corresponding  to  the  three  interpretations  of  while-loops. 

We  plan  further  research  into  the  use  of  transition  trace  semantics.  In  particular,  with  appropri¬ 
ate  adjustments  to  represent  deadlock,  we  can  give  a  deadlock-sensitive  transition  trace  semantics 
that  can  be  used  to  reason  about  deadlock-freedom. 
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